US10896085B2ActiveUtilityA1

Mitigating actions

73
Assignee: HEWLETT PACKARD DEVELOPMENT COPriority: May 8, 2018Filed: May 8, 2018Granted: Jan 19, 2021
Est. expiryMay 8, 2038(~11.8 yrs left)· nominal 20-yr term from priority
G06F 21/554H04L 63/145G06F 11/1458G06F 2201/84H04L 63/20G06F 11/0793G06F 21/56G06F 11/1471G06F 21/568G06F 11/0778G06F 11/1451
73
PatentIndex Score
2
Cited by
12
References
20
Claims

Abstract

In an example there is provided a method of applying a mitigation action to a computing system. The method comprises receiving notification of an intrusion event on a computing system. The notification identifies one or more of data, and a process affected by the intrusion event. The method comprises accessing state data corresponding to a state of the computing system prior to the intrusion event, accessing a policy specifying one or more mitigation actions to be applied to the one or more of data, and a process in response to an intrusion event, restoring the one or more of data, and the process on the basis of the state data, and applying a mitigation action according to the policy.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. A method performed by a computing system comprising a hardware processor, comprising:
 receiving a notification of an intrusion event at the computing system, the notification identifying a service affected by the intrusion event; 
 accessing state data corresponding to a state of the computing system prior to the intrusion event; 
 determining a context of the computing system; 
 selecting, based on the determined context, a first policy from a plurality of policies, the first policy specifying a first mitigation action to apply in the computing system in response to the intrusion event, wherein the plurality of policies correspond to respective different contexts and specify application of different mitigation actions for the intrusion event; 
 applying the first mitigation action according to the first policy, wherein the first mitigation action comprises maintaining a first function of the service while disabling a second function of the service, wherein the maintaining and the disabling cause the service to operate in a degraded mode where the first function is available and the second function is not available; and 
 restoring the computing system based on the state data. 
 
     
     
       2. The method of  claim 1 , wherein the first policy comprises a constraint to be applied to the service in response to the intrusion event, and wherein the constraint applied comprises limiting usage of a central processing unit (CPU) or a random access memory (RAM). 
     
     
       3. The method of  claim 1 , wherein the context is based on a type of platform of the computing system. 
     
     
       4. The method of  claim 1 , wherein the first policy comprises instructions to maintain the first function in response to the intrusion event, and instructions to disable the second function in response to the intrusion event. 
     
     
       5. The method of  claim 1 , comprising:
 updating the first policy to specify a further mitigation action to be applied in response to a further intrusion event; 
 receiving a notification of the further intrusion event; 
 accessing the updated first policy; and 
 applying the further mitigation action according to the updated first policy. 
 
     
     
       6. The method of  claim 3 , wherein a first context of the different contexts comprises a first type of platform of the computing system, and a second context of the different contexts comprises a second type of platform of the computing system, and
 wherein the first mitigation action specified by the first policy corresponding to the first context for the intrusion event is different from a second mitigation action specified by a second policy corresponding to the second context for the intrusion event. 
 
     
     
       7. The method of  claim 1 , comprising:
 determining a snapshot of the state data of the computing system; and 
 storing the snapshot. 
 
     
     
       8. The method of  claim 7 , wherein the accessing of the state data corresponding to the state of the computing system prior to the intrusion event comprises accessing the snapshot. 
     
     
       9. The method of  claim 7 , wherein the determining of the snapshot comprises maintaining a log of the state data that has been modified from a previous snapshot. 
     
     
       10. The method of  claim 1 , wherein the applying of the first mitigation action comprises:
 determining a characteristic of the intrusion event; and 
 determining, based on the first policy and the characteristic of the intrusion event, the first mitigation action to apply. 
 
     
     
       11. The method of  claim 1 , further comprising:
 reversing the first mitigation action in response to the service being patched to prevent a further intrusion event. 
 
     
     
       12. The method of  claim 1 , wherein the first function is a read access of data of the computing system, and the disabled second function is a write access of the data of the computing system. 
     
     
       13. The method of  claim 1 , wherein the disabled second function is an access of a Universal Serial Bus (USB) device. 
     
     
       14. The method of  claim 6 , wherein the first type of platform of the computing system comprises one of a server computer, a desktop computer, and an embedded system, and the second type of platform of the computing system comprises a different one of the server computer, the desktop computer, and the embedded system. 
     
     
       15. A recovery system for a computing device, comprising:
 a storage medium to store state data of the computing device; and 
 a processor to execute instructions to:
 receive a notification of an intrusion event on the computing device; 
 access the state data from the storage medium, wherein the accessed state data corresponds to a state of the computing device prior to the intrusion event; 
 determine a context of the computing device; 
 select, based on the determined context, a first policy from a plurality of policies, the first policy specifying a first mitigation action to apply in the computing device in response to the intrusion event, wherein the plurality of policies correspond to respective different contexts and specify application of different mitigation actions for the intrusion event; 
 apply the first mitigation action in response to the intrusion event, wherein the first mitigation action comprises maintaining a first function of a service affected by the intrusion event while disabling a second function of the service, wherein the maintaining and the disabling are to cause the service to operate, in the computing device, in a degraded mode where the first function is available and the second function is not available; and 
 restore the computing device based on the state data. 
 
 
     
     
       16. The recovery system of  claim 15 , wherein the context is based on a type of platform of the computing device, a first context of the different contexts comprises a first type of platform of the computing device, and a second context of the different contexts comprises a second type of platform of the computing device, and wherein the first mitigation action specified by the first policy corresponding to the first context for the intrusion event is different from a second mitigation action specified by a second policy corresponding to the second context for the intrusion event. 
     
     
       17. The recovery system of  claim 15 , wherein the first function is a read access of data of the computing device, and the disabled second function is a write access of the data of the computing device. 
     
     
       18. The recovery system of  claim 15 , wherein the disabled second function is an access of a Universal Serial Bus (USB) device. 
     
     
       19. A non-transitory machine-readable storage medium comprising instructions that upon execution cause a system to:
 receive a notification of an intrusion event in a computing device, the notification identifying a service affected by the intrusion event; 
 access state data corresponding to a state of the computing device prior to the intrusion event; 
 determine a context of the computing device; 
 select, based on the determined context, a first policy from a plurality of policies, the first policy specifying a first mitigation action to apply to the service in response to the intrusion event, wherein the plurality of policies correspond to respective different contexts and specify application of different mitigation actions for the intrusion event; 
 apply the first mitigation action according to the first policy, wherein the first mitigation action comprises maintaining a first function of the service while disabling a second function of the service, wherein the maintaining and the disabling cause the service to operate in a degraded mode where the first function is available and the second function is not available; and 
 restore the computing device based on the state data. 
 
     
     
       20. The non-transitory machine-readable storage medium of  claim 19 , wherein the context is based on a type of platform of the computing device, a first context of the different contexts comprises a first type of platform of the computing device, and a second context of the different contexts comprises a second type of platform of the computing device, and
 wherein the first mitigation action specified by the first policy corresponding to the first context for the intrusion event is different from a second mitigation action specified by a second policy corresponding to the second context for the intrusion event.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.